Report: NSA not only creates, but also hijacks, malware

Lucian Constantin |
Jan. 20, 2015

In addition to having its own arsenal of digital weapons, the U.S. National Security Agency reportedly hijacks and repurposes third-party malware.

The documents published by Der Spiegel also shine more light on the malware capabilities of the NSA and the rest of the Five Eyes partners -- the intelligence agencies of the U.K., Canada, Australia and New Zealand.

One leaked document from the Communications Security Establishment Canada (CSEC) describes a unified computer network exploitation platform codenamed WARRIORPRIDE that is used by all Five Eyes partners and can be extended through plug-ins.

Der Spiegel released samples of an old keylogger program dubbed QWERTY that likely acted as a WARRIORPRIDE plug-in, so that the security industry can analyze it and possibly find other connections. The keylogger was among the files leaked by Snowden to journalists.

Another leaked document dated June 2012 describes the technical accomplishments of a malware writer working for one of the Five Eyes agencies. One of the computer network attack (CNA) tools he developed is codenamed PITIEDFOOL and can be used to wipe data from computer hard disk drives at a preconfigured time after first disabling Volume Shadow Copy (VSS), a Windows backup service that can be used to restore data.

"I took a build of FUZZYEBOLA from last month, and without recompiling inserted the PITIEDFOOL binary with configuration details to execute it at a certain time," the tool's author wrote describing a test. "At that time I saw the process usage slightly increase (from 0% to around 2%) and a few minutes later the system rebooted and didn't come back up. Running a file recovery tool over the entire drive yielded some files (from scraping headers) but nearly the entire contents of the drive were irrecoverable, and if it had been configured to securely wipe every sector on the drive after killing the MFT and VSS it wouldn't have been able to recover anything at all. Success!"

If national security agencies are adopting such destructive file wiping malware programs, their use might become a frequent occurrence in the future. Wiper malware was used in August 2012 to destroy data on 30,000 computers at Saudi Aramco, the national oil company of Saudi Arabia; in March 2013 against South Korean banks and broadcasting organizations, and recently against Sony Pictures Entertainment in the U.S.

In each of those cases, previously unknown hacktivist groups claimed responsibility for the attacks. However, the FBI later attributed the attack against Sony to North Korea, resulting in new U.S. sanctions against the country.